The review – which was launched by David Willetts, minister for universities and science, at ICAEW this morning – reveals the cyber dangers inherent in corporate finance transactions, particularly mergers and acquisitions. These can involve as many as 40 different groups of advisers, experts, brokers, investors, bankers, accountants and lawyers, as well as employees and directors at the companies themselves .
“This makes for a very juicy target,” Willetts said. “M&A transactions are vulnerable to attack because you are sharing data with so many people and you don’t know their systems are as secure as yours. You are only as strong as your weakest link.”
Cyber attacks, he warned, are a threat to all businesses today. “Indeed, the director of GCHQ, Sir Iain Lobban, reports that Britain is experiencing ‘industrial espionage on an industrial scale’.”
And he quoted the case of a FTSE 350 company with good cyber security in place which was involved in the acquisition of a small business with poor network security.
As a result, a hacker had unfettered access to the whole network for over a year during which it was responsible for a significant portion of all network traffic and stole data related to new technology.
It is problems like this that persuaded the Association for Financial Markets in Europe(afme) to make its policy recommendation. Speaking at the launch of Cyber Security in Corporate Finance, afme chief executive Simon Lewis said that cyber security would become one of the key features of its due diligence checklist and that its members would be expected to evaluate the cyber risks to companies through discussions with board members. “We think that this is a really important and timely step,” he added.
As well as setting out the cyber security dangers facing the corporate finance sector, the review provides a practical guide to the questions to ask and actions to take during the different phases of the transaction. In particular, it says, people should only be provided with sensitive data on a need to know basis: even in the same organisation, people should be given access to different levels of information, depending on their role.
Corporate finance is a major area of economic activity in the UK – last year UK-related M&A deals totalled £216.8bn – and the government is keen to encourage its growth. Which is why the Cabinet Office approached ICAEW for help on reviewing cyber security in the sector.
ICAEW set up a taskforce with membership drawn from a wide range of stakeholders including the government, AFME, the London Stock Exchange, the Association of Corporate Treasurers, the Takeover Panel, the British Private Equity & Venture Capital Association and the Law Society, as well as accountancy and law firms and investment businesses. The review is based on their input and experience.
Willetts said he wanted to make the UK one of the most secure places in the world to do business online. The review, he believed, would “allow the corporate finance sector to make the most of the opportunities that cyberspace can offer, helping the UK get ahead in the global race”.
Corporate Finance Faculty head David Petrie believes that it is initiatives like the guidance – the first of its kind in the corporate finance world – which will make the City of London the best place for business to go to for advice on corporate transactions. “It places ICAEW members and the City at the forefront of measures designed to combat the threat to corporate finance transactions arising from cyber security breaches.”
He added that, although the risk from cyber attacks was real, business should not be put off undertaking corporate finance transactions. “The message is if you are going to do it, do it here in the UK. Yes, it’s a risk but there is risk everywhere in the world and the review provides us with the opportunity to lead the way when it comes to market confidence and conducting corporate finance transactions in a safe way.”